AUSTIN, Texas -- What a difference a year makes, especially when it comes to Docker and security.

One year ago, Linux container security was the chief concern among enterprises that sought to put the new technology into production. At DockerCon here last week, large enterprises instead extolled the virtues -- even advantages -- of containers for IT security, due in large part to recent Docker container security updates.

Download this free guide

Download: Azure vs. Google vs. AWS container services

Access this expert breakdown of the top 3 players in the cloud container platforms market. While AWS, Google and Azure all abstract elements of Docker container management away from users to optimize application deployment and scalability, each offers unique features. Find out the benefits and drawbacks of all 3 services.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Improved security was one of the top three reasons to containerize some 400 apps for The Northern Trust Company, an investment bank in Austin, Texas.

The process to patch thousands of VMs was condensed down to a single container image, said Robert Tanner, division manager of enterprise middleware services at the bank, during a presentation at the conference.

The ability to patch container images instead of VMs offers more consistency and allows less room for error, Tanner said. Docker Enterprise Edition also now offers Docker Security Scanning, which creates a security profile for each application in Northern Trust's environment, and assesses vulnerabilities in the app before it moves into production. Docker Notary further authenticates images as they move through Northern Trust's continuous integration/continuous delivery (CI/CD) process.

Just by containerizing, I can limit the attack surface [of apps] because I use a minimalist OS.
Robert Tannerdivision manager of enterprise middleware services, The Northern Trust Company

Docker container security updates will allow genomics analytics company Translational Genomics Research Institute (TGen) to expand into clinical services where patient data is protected by HIPAA, while still using an efficient shared infrastructure.

"Being able to isolate workloads away from the general population means we can run [a clinical] workflow on the same machinery that I'm running my [research and development] R&D on, but will be able to do so in a way risk auditors are comfortable with," said James Lowey, CIO of TGen.

And hotel chain Hyatt has used Docker to establish a DevOps pipeline and also to speed up application development, but the hotelier has also seen security benefits. For example, containers affiliated with one another can be grouped within the same physical server and then that box can be hardened, said Ray Krueger, VP of engineering at Hyatt.

"My [chief information security officer] is excited about locking all the traffic into one box with one front door that can use a reverse proxy," Krueger said.

Docker container security updates take center stage

Demos at the event referenced recent Docker security updates, such as secure node introduction, cryptographic node identity, cluster segmentation and secure secret distribution. New features demonstrated for Docker's SwarmKit included automatic promotion of secure code to production, as well as automated rollback of the container infrastructure after security errors are discovered.

Minimalist operating systems can also be used with containers. With container-optimized OSes, such as those built from Docker's newly launched LinuxKit, all processes including system daemons run in separate containers. Only needed services are run by the OS, so deployment is more secure than with traditional all-inclusive mainstream distros.

"Just by containerizing, I can limit the attack surface [of apps] because I use a minimalist OS," said Northern Trust's Tanner.

Other newcomers, such as Aqua Security Software Inc. and Twistlock Ltd., both in San Francisco, have behavior baselining, service whitelisting and security monitoring for containers at runtime. Twistlock rolled out version 2.0 of its platform with a bevy of Docker container security updates, such as runtime visualization enhancements; checks for compliance with .509 keys, SSH keys, AWS tokens and other credentials; and new certificate authentication for organizations that use public key infrastructure.

Docker container security updates have entered mainstream enterprise IT products, such as Red Hat's OpenShift, which rolled out version 3.5 last week. This new version of Red Hat's Kubernetes-based PaaS includes certificate management for containers, along with warnings that certs will expire, and rolling certificate refreshes. OpenShift 3.5 also boasts improved security management with added granularity to determine which user owns which credentials in the container infrastructure.

Progress, but not IT security utopia

Though Docker container security updates have improved patching and minimized the attack surface of apps, not all enterprises are ready to forego extra security precautions with container-based deployments.

"Even if Docker certifies an app as being safe and effective, I'm not risking $11 billion on Docker telling me it's safe," said James Ford, chief architect of strategy at ADP, the HR software company based in Roseland, N.J., which has more than $11 billion in revenues. "We need extra assurance and to prove it to ourselves."

Containerized applications can only be downloaded by ADP developers from whitelisted sources. When the code has been tested and validated and the developer wants to push it into the integration testing process, it first goes through a rebuild and a scan that uses software from Black Duck Software Inc. in Burlington, Mass. Every app also undergoes manual penetration testing before it's released into production, which adds two weeks into an otherwise automated build process.

Ford said he also has reservations about security monitoring startups.

"I want noise reduction for security software," Ford said. "I don't care if I have Heartbleed on a database server, I don't have SSL running there anyway -- tell us when it matters."

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy